Question How to use ftps connection with a Wildcard SSL certification?

[MicheleB]

I'd like to protect the FTP communications using the SSL/TLS protocol but every time that I try to open a secure connection, my FTP client (Transmit) show me an alert message (see the attachment) where it can't verify the identity of the server.

I'm using a Wildcard SSL certification for the domain but it is not recognised valid for the ftp.mydomain.com address.
The SSL certification is loaded on "Tools & Settings -> SSL/TLS Certificates" and used "for securing Plesk/mail" and setting as default in the "server pool" list.

I'm using for the connection these parameters:
Protocol: FTP with TLS/SSL (with "passive mode" checked)
Address: ftp.mydomain.com
Port: 21

I've tried with ftps.mydomain.com but Transmit not found the server.
How can I fix it? Is necessary to configurate something on the server (I've already settings the Security Policy on Plesk)?
Thanks.

 

[learning_curve]

If it helps... @MicheleB we consigned normal FTP to the bin, a long time ago, because it's pretty slow & not secure enough. Our chosen setup is; Allow only secure FTPS connections within Plesk and SFTP - SSH File Transfer Protocol within Filezilla. Plus... SSH (secure shell) server tool is enabled within Firewall settings (i.e. also within Plesk). In turn, this tool is restricted to certain IP addresses. So unless somebody puts in a lot of time and effort in order to a) guess those IP addresses and then b) spoof one of them, both SSH and SFTP are secure & have restricted access, but always work very well (for us)

Edit: Sorry, we use some Let's Encrypt *Wildcard Cerificates too, but have no problems using this ^^ setup as SSH is the key

 

[MicheleB]

... we use some Let's Encrypt *Wildcard Cerificates too

For my information... is possibile activate a wildcard certificate with Let's Encrypt on Plesk?
On my version (17.8.11, Debian 9.6) I can't see this option, only single domain/subdomain.

 

[MicheleB]

... setup as SSH is the key

Ok, thanks, I'll take your suggestions but my problem is not with the ftp connection but with SSL Authentication that it isn't recognise the wildcard certificate, Plesk not consider a "trusted server" (with the alert message from the ftp clients as Transmit "can't verify the identity of the server").

On Dreamweaver (the wysiwyg editor) If I use "FTP over SSL/TLS (explicit encryption)" and for the authentication "none (encryption only)" works good but if I change this last option with "Trusted server", I receive the authentication's error.

I think that a Wildcard certificate "*.mydomain.com" should be enough to accept "ftp.mydomain.com" as a trusted server or am I missing something?

 

[learning_curve]

For my information... is possibile activate a wildcard certificate with Let's Encrypt on Plesk?
On my version (17.8.11, Debian 9.6) I can't see this option, only single domain/subdomain.

Yes it is. There's quite a few existing threads on this very topic and it's covered in detail here: Managing Let's Encrypt Settings have a look at the acme-directory-url and acme-protocol-version sections. You can edit your panel.ini file using the Panel.ini Editor Plesk Extension.

 

[MicheleB]

Yes it is. There's quite a few existing threads on this very topic and it's covered in detail here: Managing Let's Encrypt Settings have a look at the acme-directory-url and acme-protocol-version sections. You can edit your panel.ini file using the Panel.ini Editor Plesk Extension.

Great, thanks! I didn't know about this feature.
I've only a doubt, why Paralles's developers not enable by default "ACME v2" on Plesk? Is there some compatibility/stability problem?

 

[learning_curve]

...but my problem is not with the ftp connection but with SSL Authentication that it isn't recognise the wildcard certificate, Plesk not consider a "trusted server" (with the alert message from the ftp clients as Transmit "can't verify the identity of the server"). On Dreamweaver (the wysiwyg editor) If I use "FTP over SSL/TLS (explicit encryption)" and for the authentication "none (encryption only)" works good but if I change this last option with "Trusted server", I receive the authentication's error. I think that a Wildcard certificate "*.mydomain.com" should be enough to accept "ftp.mydomain.com" as a trusted server or am I missing something?

Ahhh Okay. FTP we've already mentioned There's nothing wrong with *Wildcard Let's Encrypt Certificates - They are always 100% valid, as indeed is Plesk itself. It depends on how you have applied the certificate and where i.e. What your certificate path is (you can quickly see that by running a test on SSL Server Test (Powered by Qualys SSL Labs) where, you can check that the certifcate that you mention, IS the Host FQDN for example and many other things really. You can just work slowly through all the checks, but the reason for that 'untrusted' note is most probably, already within the setup details that you have

 

[learning_curve]

Great, thanks! I didn't know about this feature.
I've only a doubt, why Paralles's developers not enable by default "ACME v2" on Plesk? Is there some compatibility/stability problem?

No idea of the answer to that one. Only the Extension providers will know for definite. I doubt it's related to a compatibility/stability problem (works perfectly so far if/when we use it) but you could ask on here: Let's Encrypt extension

 

[MicheleB]

No idea of the answer to that one. Only the Extension providers will know for definite. I doubt it's related to a compatibility/stability problem (works perfectly so far if/when we use it) but you could ask on here: Let's Encrypt extension

I've found these informations on the documentation:
"Let’s Encrypt uses the ACMEv2 protocol to issue wildcard SSL/TLS certificates, while the Let’s Encrypt extension, by default, uses ACMEv1, which is more stable."

The "more stable" for me it is always synonymous of "production ready" instead others major versions as "beta".
Anyway, I'll take a look, thanks.

 

[learning_curve]

I've found these informations on the documentation:
"Let’s Encrypt uses the ACMEv2 protocol to issue wildcard SSL/TLS certificates, while the Let’s Encrypt extension, by default, uses ACMEv1, which is more stable." The "more stable" for me it is always synonymous of "production ready" instead others major versions as "beta".
Anyway, I'll take a look, thanks.

Yes, your concern from that wording may be understandnable. However, we can only think that wording was their initial thought, as ACMEv2 has been "production ready" with many different suppliers for a long time now. The Plesk extension does work (using ACMEv2) without any errors, as far as we know. Most people's problems seem to relate to the using the right certificate / right domain / right location etc and even more, once wildcards are used. You should have no problems at all (hopefully) once you've had change to check / try everything / change anything needed